Well, I was given a challenging task – using Oracle Access Manager 11g as an SSO provider for Liferay 6.0 (the community edition…).
Now, as you might know – there is no built-in OAM support for Liferay – so I was stuck with configuring one myself. Since I didn’t even have the OAM installed – I’ll detail all the steps I did. To simplify matters – I installed OAM on Microsoft Windows Server, but the same should hold for Linux.
All Oracle downloads were downloaded from edelivery.oracle.com. Version is 11.1.0.6.
OAM Installation
- Install Oracle database. I didn’t install Oracle XE, but rather the Enterprise edition.
- Alter the Oracle database.
- Open sqlplus as sys and run the following commands
alter system set open_cursors=1000 scope=both; alter system set processes=1000 scope=SPFILE;
- Restart Oracle DB.
- Run RCU (V33643-01), and check the Identity Managent checkbox. Proceed with the installation.
- Install WebLogic Server (wls1036_generic)
- Install SOA Suite (ofm_soa_generic_11.1.1.6.0_disk1_1of2 and ofm_soa_generic_11.1.1.6.0_disk1_2of2).
- Install IdM (V33644-01_1of2 and V33644-01_2of2)
- From your ORACLE_HOME/IDM_HOME/common/bin run the config.cmd file.
- Install all the required components (especially all the Oracle Access Manager relevant components).
- DO NOT START THE ADMIN SERVER.
- Run the following WLST scripts (thank you Warren
- Where
- $MW_HOME is where you put the Middleware home (e.g. ~/Oracle/Middleware)
$ORACLE_HOME - is the Oracle IAM home (e.g. ~/Oracle/Middleware/Oracle_IAM1)
$IAM_DOMAIN_ - LOCATION is the domain home (e.g. ~/Oracle/Middleware/user_projects/domains/OAMDomain)
- $ORA_PASS is the password needed to talk to the database
- Now you can safely run the admin server. Connect to it using IP_ADDR:7001/em, and start the OAM managed server too.
$MW_HOME/oracle_common/common/bin/wlst.cmd $ORACLE_HOME/common/tools/configureSecurityStore.py -d $IAM_DOMAIN_LOCATION -m create -c IAM -p $ORA_PASS $MW_HOME/oracle_common/common/bin/wlst.cmd $ORACLE_HOME/common/tools/configureSecurityStore.py -d $IAM_DOMAIN_LOCATION -m validate
Apache installation/configuration
On a separate machine (I used RedHat Linux 5.5):
- Install Apache2.2
- Configure WebGate (I used ZIP file oam_int_linux_v10_cd1.zip)
- Configure Apache to act as a proxy for your Liferay server by using ProxyPass and ProxyPassReverse. For instance:
- Configure WebGate in the Apache. On my machine the configuration looked like this:
ProxyRequests Off ProxyPass /web http://LIFERAY_SERVER:8080/web ProxyPassReverse /web http://LIFERAY_SERVER:8080/web
LoadModule obWebgateModule "/usr/local/webgate/product/access/oblix/apps/webgate/bin/webgate.so"
LoadFile "/usr/local/webgate/libgcc_s.so.1"
LoadFile "/usr/local/webgate/libstdc++.so.6"
WebGateInstalldir "/usr/local/webgate/product/access"
WebGateMode PEER
#webgateload obWebgateModule "/usr/local/webgate/product/access/oblix/apps/webgate/bin/webgate.so"
SetHandler obwebgateerr
SetHandler obwebgateerr
AuthType Oblix
require valid-user
OAM Configuration
- Open the Access Manager console, and click on the “New OAM10g WebGate”
- Fill in the details, exactly as you did during the WebGate installation.
- Go to “Application Domains”, and select the newly created Application Policy
- Change any required value, and select “Authorization Policies”
- Select the “Protected Resource Policy”
- Select “Responses”
- Add a new response – HTTP Header with the name of LIFERAY_SCREEN_NAME and value of uid
Liferay Configuration
- Edit the portal-ext.properties file and add the following line:
auto.login.hooks=com.liferay.portal.security.auth.RequestHeaderAutoLogin
Restart Apache, and browse to it. You should get the OAM login page, and after login – you should see you have automatically logged-in into Liferay…
Tona Consulting 
Hi
It was a nice article. We are also planning to provide SSO to LifeRay Portal 6.0.x version. I was wondering you specified here about using 10g WebGate. May I know why? Does 11g WebGate does not work with LifeRay Portal?
LikeLike
As far as I know, 11g WebGate should work the same way.
LikeLike
I want to integrate liferay with Oracle Access Manager on cloud .could you share integration document for linux environment.
LikeLike
Please look at the Oracle documentation for OAM installation on Linux (sorry – not a OAM expert…)
LikeLike
Hi liran,
I was talking about Liferay integration with OAM.You have done same as mentioned in post .if you have any document for that integration please share.
LikeLike
Does this apply to liferay 7.0? I does not seem to be working for me. After login via OAM, i get redirected to the liferay port 8080 page
LikeLike
Hi
No, sorry – only for 6.0.5 and 6.1…
LikeLike
How about liferay 6.2? I’m using Oracle HTTP Server as a proxy for Liferay. The redirect is working: when I’m accessing the oracle ohs url I’m redirected to the sso page. However, after I enter the credential I’m redirected to the liferay homepage, and must enter liferay credential.
Can you please help me on this ? What am I missing ? Or what do I need to configure extra ?
LikeLike
Sorry – Liferay 6.2 changed allot in their SSO architecture – and I’m not working with this version…
LikeLike
I already changed the liferary version to 6.1 GA1, but still need to login again with liferay credential. Is the header name must be LIFERAY_SCREEN_NAME ?
LikeLike
I have OAM and Liferay installed in separate weblogic server.
I have OAM setup is ready with me and also set authorization header but some how not able to get authorize in Liferay somehow.
Do you see possible issue here ?
LikeLike
No. It should be OK. Try tcpdump to see if the header really passes
LikeLike
Friends,
I am actually able to perform SSO with Liferay by following the same steps given above. It works like a charm :). Only problem you might face during logout and session handling because Liferay and OAM running individual sessions and we need to handle logout separately here to kill both the sessions.
I will post details stuff over http://www.liferaysolution.com very soon
LikeLike